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Simple email encryption with FireGPG 

Sunply put, ciyptography tJJ is tiie process of hiding infonnation. Though long tlie domain of 
computer scientists, matliematicians and secretive govenunent agencies, diis technology is now both 
fairly easy to use and ubiquitous. This spread of encryption tecluiology has not happened a moment too 
soon, as enciyption t^ is more important for the average person than ever before. 

Eveiy email you send or receive, eveiy mstant message, comes to and from your computer 
without any protection. Due to the decentralized natiu'e of die Internet, all tliese personal 
commimications pass thi'ough dozens of computers, in some cases spread out dii'ough several countries, 
m the milliseconds it takes for message to go from sender to receiver. Many of diese computers, 
particularly yoiu" email provider, are requu'ed by law to keep copies t^ of all of yoiu" messages, for long 
periods of time. Your private [^online conversations are not as private as you thought. 

When faced widr die reality tliat dieir online communication are not veiy private, many people 
claim tliat tliey "have nothing to hide." According to Professor Solve t^ of George Washington 
University Law School, "the problem with the nothing to hide argument is with it's underlying 
assumption that privacy is about hiding bad things." Have you ever had a very personal conversation 
with a close friend? Did you tape record diat conversation and email it to eveiyone on yoiu" email 
addiess book? If not, then you probably have something to hide. It is not that such tilings are bad, it is 
that they are private. 

Also, many people in the world live in coimtries that are not friendly to the idea of free 
speech t^, comihies that suppress political and religious ideas that go agamst tlie govenmient 
sanctioned noim. Many people in this situation tiy to get around government censorship and espionage 
by misspellmg certain sensitive words or replacmg tliein witli "code words." Though such substitution 
is of limited usefulness in the case of automated censorship, it is of little use against actual espionage. 

For all the various email privacy needs, there is a sunple and easy to use solution known as the 
GNU Privacy Guard (GPG) [3. Though the type of ciyptograpliy used by GPG is so secure that many 
govermiients use it to seciu'e top secret information, GPG by itself is not veiy user friendly. However, 
FireGPGt^, an extension for Firefoxt^, is an easy to use mterface for GPG tliat can be used right inside 
yoiu" web browser. This guide focuses on mstalling and using FireGPG to send and receive enciypted 
email messages, on Windows, OSX and Linux. 



Prerequisites 

GnuPG is veiy secure. However, the best secmity can be undeniimed by users who make 
mistakes, and don't dunk tlieir actions tlii'ough clearly. It is not uncoimnon for people to use email 
encryption, only to have access of theu" private key stolen because they have a weak password. Also, if 
youi" computer has aheady been compromised by an attacker (perhaps by a virus or other means), dieii 
it IS trivial for fliat attacker to steal yoiu" private key and yoiu" passwords, making it easy to intercept all 
youi" private communications. For a smiple guide on staying safe on die Internet, check out diis post tl^l. 
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The target audience for this guide is tlie average computer user. If you know how to browse the 
web and send email, this guide is for you. You do not need to be a computer geek, but you do need to 
be willing to think. Notliing in tliis guide should be prolubitively difficult to understand, but you will 
need to learn a few new concepts. If you are willing to keep an open mind, then read on. 



Two types of encryption 
Symmetric encryption 

Imagine you are trymg to send a private message to a group of friend, but you do not tiiist the 
maihnan. The solution is to find a way to hide tlie message in plain sight. To do tliis you need tliree 
things: a message to send, a secret shared witli your friends, and an agreed upon process for using the 
shared secret to lude the message m what looks like gibberish. 

This is what is known of as symmetric key cryptog}'aphy W. because tliere is only one key, aka 
secret, mvolved. The process for combming the key with tlie message is known as a ciyptographic 
algorithm ("algoritlmi" is simply a fancy way of saying "set of instiiictions"), sometimes called a 
cyphertii]. Since Glyptography is much easier to use than it once was, a user does not need to concern 
themselves witli the intiicate matliematical details of how the algoritlun works. 



Asymmetric encryption, aka public key encryption 

There is one simple problem with symmetric encryption: it does not scale well. This is not so 
much a problem with the technology as it is a problem with tlie people using the technology. Everyone 
knows that a secret sliared with two people is twice as difficult to keep secret as tlie same secret kept by 
only one person. Shared with thi'ee people it is thi"ee times as difficult, and witli four people... you get 
the idea. There is also the issue of how to safely share tlie secret with groups of people. Again tlie more 
people you add, the more difficult it becomes. 

The answer to this problem is what is known as public key ciyptograplni ^. With tliis kind of 
cryptography, tlie analogy of a key works less well than it did with symmehic enciyption. Imagine tliat 
you again want to share a secret message with your group of friends. However this time, the 
ciyptographic algoritlim you have agreed to use is such that each person in the group lias two keys . You 
do not need to understand all the fancy mathematical details, but what you do need to understand is that 
milike one key Glyptography, each key in your pair can enctypt a message that the other key, and only 
the other key, can decrypt. This time everyone takes one of those keys and publishes them, letting the 
whole world see it This is what is known as tlie public key. The second key is carefully hidden and 
protected, and is known as the private key. 

It works like tins: Smce you published your public key, any of your friends can find it on the 
Internet and use it to enciypt a secret message to you. Once it is enciypted with yom" public key, you 
are the only person who can deciypt it, because you keep youi" private key secret. This solves tlie 
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problem of having a large group share a single secret. 

This also lets you do something else, and tliat is prove yom" identity. As I said earlier, if 
sometliiiig is encrypted by one key, flie otlier key can deciypt it. Since you keep youi" private key secret, 
you can enciypt messages wifli it tliat only yoiu" public key can decrypt. Assimimg tliat eveiyone 
assmnes that you keep your private key safe, then anyone can deciypt that message you enciypted with 
youi" private key, wliile you are the only person who could have possibly enciypted it, therefore proving 
youi" identity. This is what is known as a signatm'e. It is common practice for a sender to enciypt, or 
"sign" messages with tlieir private key, then enciypt tlie message again witli the public key of the 
recipient. When tlie recipient deciypts the message first with tlieii" private key and tlien witli the 
sender's public key, tliey know that not only are tliey die only person to liave read the message, but tliat 
the message was sent by tlie person who said they sent it. 

Public key Glyptography is tlie type of enciyption that GPG uses. The key pair mentioned above 
IS actually a set of two files contaming veiy lai'ge mathematically related random nmiibers. The rest of 
this guide will walk you through installing GPG on yoiu" computer, generatmg a set of keys, sharing 
public keys and usmg them to send enciypted messages. Make sm'e you imderstand tlie concept of 
public key ciyptography before reading on. 



Using encryption 

Installing GnuPG and FireGPG 

To start off with, you need to have GPG installed on youi" system. If you are lunning Linux, 
then chances ai'e it is installed by default. If you are nmiiing Windows or OSX, you need to download 
the Wmdows installer [UI {gnupg-w32cli-l .4.9.exe) or the OSX installer Cil] (MacGPG2-2.0.1 0-2.zip). 

Once GPG is mstalled, open up Fii'efox and head over to getfiregpg.org t^. Click on tlie 
install Imk to tlie right and click Download FireGPG on tlie next page. At tins point you should 
see a warning at the top of die page saying "Firefox prevented this site (getfiregpg-org) from askmg you 
to install software on your computer" Click Allow, and tlien Install Now on tlie window tliat 
pops up. In a few seconds Fii'efox will tell you that it needs to restart the browser for the installation to 
take effect, so go ahead and do that 



Generating a key pair 

The first tlimg you need to do once you have GPG and Fu'eGPG installed is generate yoiu" 
personal key pair You can access all of Fii'eGPG's featm'es via die right-click menu. To open up die key 
manager, right-click somewhere in the page and go to FireGPG/ Key manager. 
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It is miportant to note tliat when you make a new key, you need a really good password tl^l. 
Hopefully youi" private key never falls into tlie wrong hands, but if it does it will be this password that 
protects it. In fact, the password is used as tlie key to a foim of symmetric encryption that protects the 
private key you generate. If you have a good enough password, tlien tlie only practical way for an 
adversary to gain access to yoiu" key is to force you to reveal yom" password (inten'ogation, toitiire, 
blackmail, etc.). 

At the bottom of the key manager window, click New Key. Fill out the information on the 
form, making sui'e to check boxes The key never expires and Advanced options. Under 
Key length, set tlie value to 4096. Click Generate key and take notices of the text above the 
button, which reads "Waraing! Key generation can take a lot of time, and will freeze Firefox. Do 
somediiiig else while key is generated to create more entropy." Fu'efox froze on my system for about 1 
minutes while the key was bemg generated. This is nonnal, tliough your key generation time will vary 
based upon tlie speed of yoiu" processor What the second bit of the warning text means is tliat you 
should move your mouse around a lot wliile the key is being generated. This will help make tlie process 
go a little faster. 
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PIreGPG - navi key 
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Backing up your keys 

The first tiling you need to do once youi" key paii" is generated is to back them up. There is 
nothing worse tlian dishibuting yoiu" public key to all yoiu" friends and coworkers, only to have your 
laptop lost or stolen, or have a hard di'ive break. These backups should generally be off-line, so as not 
to make it easier for an adversaiy to gam access to your keys remotely. If you have a CD bmiier, CDs 
make for great backups. Burn the files to CD and then stick it m a fu'e proof safe. If you do not have 
such a safe, give a copy to a hiisted friend for safe keeping. If a CD is not an option, than a cheap USB 
stick will work as well. On OSX and Linux your keys will be in the folder . gnupg inside your home 
folder, so copy tlie entire folder (you may need to reveal hidden files fu'st). On Wmdows, your gnupg 
folder is located at C:\Docunients and Settings\adinin\Application Data\gnupg, 
where admin is your user name. 



Sharing a key 

Once you have created your keys and have backed tliem up, you need to start giving people 
yoiu" public key, so they can send you private messages. Make sm'e youi key is selected in the key 
manager, tlien click Export to file. Give it a good name, like mynaine . asc, then save it to your 
desktop. You can now put this on a USB stick to give to a friend, email it as an attachment, or any other 
method of sending a file to a friend. 
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Importing and validating a public key 

Now lets say that Mi". Paranoid just exchanged public keys witli you. To be able to enciypt 
messages with his pubhc key you must first import it. To do so, go into the key manager and click 
Import f roni file. Find the key file inyoui" file manager and click open- 



New key 
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■ — r 
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When you import a person's key, it is very important to determine your level of tiaist of that key, 
and there are a nmiiber of factors that go into this decision. Fu'st, you need to decide if you actually 
ti\i3t tliis person (in tire normal sense of the word). Second, it is helpful to know if tire person safely 
manages his keys. Ask him if he has a strong password, and discuss what tlie meaning of a strong, 
passwordti^ is. Secondly, if he is running Wmdows, does he have anti-virus software mstalled, and 
does he keep it up-to-date? Does tins person nm regular system updates and update tlie software on his 
machine? It is dangerous to send private message to someone who is lazy about protecting theu" private 
key. 

Also, perhaps the most important part about establishing trust is verifymg that tire public key 
you have came from who it says it came from. If you do not do tliis, then anyone can email you a key 
saying tliey are someone you know, even if they are not. Tins is wliat is known as a man-in-the-iniddle 
attack. The best way to establish this part of trust is to exchange tlie keys m person, face-to-face. Every 
key has a vmique ID, which you can view in tlie key manager. Once the keys are exchanged, read off 
one another's key IDs to verify that you have the right key. 



|Key manager 








Name | ID Created Expirf 


Douglass Clem (personal key pair) -f cra«hsy«be... aG0CFAD97A47240G 2009-.. . 




Mr. Paranoid (For demo purpose? only) <paranoid@gma .. 8ED5336E4B42A2E1 ^ 2D09-0 . 


1 


k 



In some cases it is simply mipossible to verify keys in person. When this is the case, video chat 
(using a program such as Ekgiatiilor Skypeti^) is a good second option. Start a video conference, and 
read off tire key IDs to one another just like you would if you were m person. Once you have 
determined the level of trust you are comfortable with, etlier in person or via video chat, you need to 
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assign this to tlie public key you imported. Select tire key in tlie key manager, then click Change 
trust. You will see a menu hstmg various statements describing various levels of ttaist, so click tlie 
statement you are most comfortable with. 
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Signing & verifying text 

Now that we have some keys exchanged, it is time to leam about signatm"es and enciyption. 
Sometmies you may want to write text tliat anyone can read, but want a way to prove tliat you wrote it. 
Right-click on tiie page, go to tlie Fu'eGPG menu, and select Text editor. Type tlie message tliat 
you want to sign, tlieii click Clearsign. You'll be presented with a list of your private keys (which 
will only have one item if you've only generated one key pair). Click your private key and click Ok. 
Type your password when prompted, then press enter. You will now have the signed text in the text 
editor, so you can click Copy to clipboard and close and then paste it in an email, web page 
or wherever you want to place signed text. 



FireGPG - Tent editor 



Perform (JPG operations on text; 



--—BEGIN PGP SIGNED MESSAGE 

Hash: 5HA1 

I'm Douglas5 Clerrij and I approved thi5 message. 

BEGIN PGP SIGNATURE 

Version: GnuPG vl,4.9 (MingW32) 

iEVEARECAAVFAImpqVAACgl;QBgz62KpHJAbztgCeL+6Vvj05PNnANb+ktwjHsVd'4Q 

5eOAoJIpInleIYPFI3zNozTOoOw7sha/ 

=liasy 

END PGP SIGNATURE 



Verifying signatures with FireGPG is veiy easy. By default FireGPG will detect blocks of text 
m a web page (or web-based email account) that are signed. It will also hide tlie signatiu'e data by 
default, and only display the signed text. Click Verify to see if tlie signahu"e can be validated by a 
public key you have in your collection. Also, if you want to see the full signed message, click 
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Display original. 



FGF SIGNEO MESSAGE, THIS MESSAGE HAS BEEN SIGIdEO WITH THE VALDI KEY ID MR. PARANOID (FDRRI 

I agree to pay crashsystems S5 if he deans my car. 
Hide origifial | IVerifyj 

BEGIN PGP SIGNED MESSAGE 

Hash: SHAl 

I agree to pay crashsysteiiis 55 if he cleans iiiv car . 

BEGIN PGP SIGNATURE 

Version: GnuPG vl.'l.S [GNU/Linux] 

iEYEARECAAYFA}CTnpqqAACgkQjt.U4bkt.CouEd7ACeLMCFqlj7UDnkNY+RUcfOIKv 

C+UAnjnAqyhYlSE/eXkVPkYFKvitiGSvYH 

=HhHB 

END PGP SIGNATURE 



Encrypting text with a public key 

When you are writing an email in a web-based email service, and you plan on enciypting tliat 
email, it is mipoitant that you use Fu"eGPG's text editor This is because most web mail providers have 
an auto save featm'e, wluch saves your draft email to theii" server every few minutes. This means that 
the email provider has a copy of your unencrypted email. Once you are done typing your email in the 
text editor, click Encrypt. First you will be asked to select Hie public key(s) to enciypt to (you can 
select more tlian one by holding down the 'chl' key wliile clicking). When you click Ok, you will next 
be asked for the private key you want to sign tlie message witli. If you do not want to sign the message, 
click cancel. If you do choose to sign the message, you will be asked for your private key's password. 
Once the message is encrypted, you can click Copy to clipboard and close, and then paste 
it into the email you are gomg to send- 



Page 8 of 1 



http: //crashsy stem s -net/proj ects/em ail-encryption- guide/ 



Simple email encryption witli FireGPG 



Version 1.0 



FireGPG - Tent editor 



Perform GPG operations on text: 



-—BEGIN PGP MESSAGE-— 
Version; (^nuPG vl.'4,9 (MingW32) 

hQIOA+K5DUrFE26KEAf/XgR+XqksgEkiQSXfgLaEzBm5KOApVWyhe7PHp6IOrC05 

□F4/6s3kkX5VcWsNLx>;n4F02AAWOEvvdurMCogs9e/ht=i0MD9Qn+vld0N4KAEBIE 

d/yYqYd8UB8+BJSWHMu9rf+WrUZA5Wi7sxEFQM5YgAWSudD0wRSXtXuORiWv7eoo 

etoEylQNpcRF/4gdLPFGYrQ2QlN5vr5qhRVt7F/Ts07TQe]HUohPw4L04qCV5+IC 

5XwR5MpaldOI:QOF7DSiePpPup/JnV/L/mZzqz41VESdfreATLF]KByHKgGi:9igpG 

dlIAzJhWcUlgau9UL3ug6hAV+vf+U4UacE+o6d53AgAtZ6oSfViAiAkE6qTSfQbvy 

p3kWg53NgQIt3HlaEX3J£Co>;FlvDTLxlbuDANoQDI64MnjP/tcHjokk5UOuRZbO 

iEFarlWkqsbPRgd76dh4zKqf2fHJFl]m4UMQYwF7hXKTSRAQml95NOdhCXQSIoSV 

kQuo4T3U4B7Y/51v73huoJ74mcc7qDEhNBdD17gF5O0WI2CCFFaiK0ii+5WhNvvK 

EQK4635Hi:3mvwR5LNXkw+f5LOJIvrxLR4uLSZq9VDugACBpFKI:/W9v7IXLewdXq 

FB8ISlDPquBNXscln0qsbo3xz24OsWiXi;sfvgkMECFQSZ9oB5iAiEGCydZYLEmLHLd 

yIUEDgNZtG6E4xK7MEAP/Aq9UnQg4-Tb2mc/binIL+9VEAM2HmPowtiUDylJNw0 

TdVnaHIPFnEpGH|::QFTdnsyP2 1KN51 6gqG/Mx lzaQgBs/hLpcIa:u4W7H5/RvcW4W 

Qmuk25MvgY/EF3NknP4-FVT/5K8ZaIDeZ7tGlP5uzbHItcZyF5>;2zKv0wJN4-Vn5mb 

25]dW2mDYD2iDN0GgVMiCRi5uWggXHQviv5+EI:makXUL0ZOE]TKVOufxqxQ4iISp 

BCv^QN4-L/oog7R6xFzDXTNRkli61zTRRoHFclFFKud0lYcdz7bRJ7Dl:M06a8JGZ0m 

□Z]2uP05PpDC5uEmXZ4Vd4ueWWbbjx/ZJvcXZAF4-AEuiUJeRuuh6F7wX/ykRniPF 

I vUm. ,1-1 .1 -7 Alr-r-C^CriJ-l -I. .-.FM-i u^C^^CTI>"-.,,,^|-|-ril--.C-^^l -.^.^Tl -.. .l-.r--^.-...P IT — CI I-.. .^. . 



Decrypting text 

Blocks of enciypted text in web pages are detected by FireGPG in exactly tlie way it detects 
signed text. Click Decrypt, and tlien type your password when prompted. Once you hit enter, you 
will see the original message, plus an indication if tlie message was properly signed by tlie sender or 
not (if the sender signed tlie message). You can also click Display original to see the enciypted 
text. 



FC;? ENCRYPTEO ME S SA&E , A VALID SI&IfATURE WAS FOUND, AiVITH THE KEY ID MR. PADANDID (FOR 

I'll meet you under the owerpass on the highway at 1 03 AM. Come alone I 
jHide oiiginalj | Decrypt 

BEGIN PGP MESSAGE 

Vecsion: GiiuPG vl.4.9 (GNU/Linux) 

hQQOAliiiQticiTjEESwEEAAEvHHgS+NFqQnYPQVUSsJAxyPniyXeAspsoTSvIHxOniGek 
yI7TLrf 6uCkeor[i81Q2HnciIUr[ii:FtigSI9fqYXIiJ7ft3jBsH+NlUMUsk0184T93Bf ISchg 
Nvsnc6cHDD/f liHiiip9iL9k2QfGp8nHLFeOvH7x0s/7b7YxImB7GJzLrSJaORk3qF 
UUinpqRU+IdezFLnt.oRk:e84JH5/CITePnfAC4vHZ07YfQpqsk/s9unBA95EZIT9zkAn 
FqiH2xaKYTrY8cfY'lhQ2qlb9t7hud4gZz373sxW0Y2QJs471JkEnJ9U9iii£vS0ptiii 
9fiFlHtcTA45+qkDp3iiirSKHc7i:gASICu3UcJ7Qi:yYFlirBPc5DC3/SY+HX06J12fId 
UCDTjY7orSckRlsaKa5tSg+HLSIi6Qf3oP52 4r[ikKKliJ8r[i01UGJCY98FkhTya0r[ir[iJIE 
CPvCZYDSKHH3Dx5t.6LBGerjgHsox/ + IUl/+CLgu9QUv9JdV/3pvV4/j40Acl3Q/OG 
JgHkii:viii45kxorJcoS3 2UvYHhE+dcirSfERJF:PuHHuhb2AfpTt.casqQAHubvCriH6 
i:HpTdQ}i:aZHiinSjS/d'lpKiir5/FlZfZHp9i:GEN43gocii:IyQJ3HJEpN33QGy3Vc7iirRG6Y 
jAU8FnDP9KG3/¥CK0i:gTsdSK5DE6upjiiiFF30QFSaegGa3Gt3Q3Ri3¥2pzdniaJSQ 
ALdClfyLrT/H3PlkHJIir8COad6liJCf83JAntiZAi5S2d740i50dK6AudlD9GSCt)r[ikUi1of 
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